Security Articles

Errors in Security Technical Documentation: What Can Go Wrong?

Errors in Security Technical Documentation: What Can Go Wrong?

Technical documentation is either the first or the last stop for users looking for authentic information. Documentation has a main purpose of linking ideas, technologies, processes, and products with people who need to understand or use the products in an "audience-friendly" way. 

With regards to Technical Documentation, the quality of the document should be built into the process. This is best done by detailing the requirements for the service or product or tool during technical documentation as creation is one of the key aspects to it. 

How to achieve quality?

Create a style guide: The style guide defines the language to be used. Defining this early on ensures that consistent, unambiguous words and phrases are agreed, so making the document and review process simpler.

Are we still hesitant about the importance of security in wireless implementations?

Are we still hesitant about the importance of security in wireless implementations?

In our day to day to life, wireless technology like Bluetooth, Wifi is playing an important role to an individual and also all organizations when it comes to deploying wireless networks, applications, and devices to improve employee productivity. But the concern is when any confidential, personal and private data is flowing over the wireless path, how are we confident that our data is secured or doesn't get tampered or stolen in air transit. Here comes the importance of wireless security for our home networks and all organizations when it comes to deploying wireless networks, applications and devices and this article will shed some light on the basics of wireless security and it's importance.

Defense-in-Depth – What Strategy To Follow?

Defense-in-Depth – What Strategy To Follow?

Defense in depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls are placed throughout an information technology (IT) system. It is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.

How to exploit Cross Site Request Forgery attack on web applications where request is posted in JSON format!

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Please see the attached pdf to read more about How does a CSRF attack works and what are the recommendations to protect yourself against this attack.

PCI DSS standards meets the requirements of the GDPR?

The objective of both the PCI DSS and the GDPR is to ensure an organization’s personal data is in a secured manner. The main focuses of PCI DSS are on payment card and cardholder data, whereas the GDPR focuses on European residents’ personal data. The main difference is that the GDPR is less prescriptive than the PCI DSS.

The GDPR provides guidance on what needs to protecting but does not clearly defined a detailed action plan, but PCI DSS has clearly defined an objective that what needs to be achieved and given clear direction for securing the payment card and cardholder data.

The PCI DSS as standards to achieve the objective of GDPR 

Perturbed over login ID and password data breach? Not anymore!

In recent years, we have been hearing of numerous ‘Login ID’ and ‘Password’ related data breaches involving popular websites and other online services. It is also likely that your application credentials are listed in a massive file that is floating around in the Dark Web. These can lead to “Loss of Trust” with customers. Loss of Trust leads to ‘Loss of Brand Loyalty’ and eventually results in ’Loss of Business’.

Lets us see how these security issues can be encountered. Most of us will obviously come up with a solution toward multi-factor authentication and risk/behavioral authentication. This, apart from being the obvious solution that could pop-up, multi-factor authentication often creates conflict between ‘compliance requirements’ and ‘user convenience’. Ideally, we should be thinking about a solution to fortify the application security - without compensating on user experience.

IoT Security in 2018

The Internet of Things (IoT) offers the potential to exchange information and insights in real time, across a connected network.

The number of IoT devices increased 31% year-over-year to 8.4 billion in 2017 and it is estimated that there will be 30 billion devices by 2020. The global market value of IoT is projected to reach $7.1 trillion by 2020.

IoT involves extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet, and they can be remotely monitored and controlled.

Gartner identifies the top 10 Internet of Things (IoT) technologies as below:-

Session Puzzling : Solving the puzzle!

Session puzzling is an application level vulnerability that occurs when the application session variable is using more than one purpose. The other name of session puzzling is session variable overloading.

The attacker tries to access application entry points. The session objects creation can be indirectly initiated while exploiting session puzzles, and later exploited, by accessing an entry point such as web services, web pages, remote procedure calls, etc.

Session puzzle enables the attackers to bypass authentication, Impersonate legitimate users, elevate privileges, bypass flow restrictions, and even execute additional attacks.

Machine Learning in Cyber Security

Nowadays, every single human activity is connected to a digital system. But these digital systems always rely on the programming language. Based upon the previous activities, the system can analyze and learn the data to be processed without any human interaction, this concept leads to a technology called machine learning.

In the case of Cyber Security, Machine Learning technology helps to analyze previous Cyber Attacks and develops the protective response accordingly. The Cyber Security is one of the latest sectors with the huge investment in machine learning based on the response to increasing cyber threat.

In the past, Cyber Security was not very familiar with Machine Learning.  Network administrators were struggling with finding and tracking attacks. It looks a lot of time for them to even detect an attack. 
Now, there are many security software that has been developed to support the human in order to maintain the System effectively.

Bluetooth Security Flaw Could Allows Nearby Hackers to Steal Your Data

Bluetooth Security Flaw Could Allows Nearby Hackers to Steal Your Data

A newly discovered bug in Bluetooth implementations and operating system drivers allows hackers to gain unauthorized access to a device and steal data. 

Bluetooth firmware or operating system software drivers may not adequately validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to gain the encryption key used by the device.

Hackers get access to the data by forcing a device to use a known pairing key. For instance, when pair phone with computer, it might be prompted to enter a five-digit code. Hackers leverage that code to intercept information when pairing the device again. This flaw is different than the BlueBorne virus that cropped up last year, which allowed hackers to gain control of a device using its Bluetooth connection. 


Subscribe to RSS - Security Articles